Forum Discussion

veato's avatar
veato
Icon for Nimbostratus rankNimbostratus
Oct 01, 2015

Opening a Port Range

This may be quite simple for the BIGIP pros but I'm not sure of the best way to do what I need.

 

I have an FTP site in IIS with a data channel port range defined (30000-30300) and the IP address of the external firewall i.e. the TMG listener IP and SSL is required. I also have an HTTPS (443) site bound to the FTP site so the directory can be browsed and HTTPS download links provided.

 

In TMG to access the HTTPS site is a simple web publishing rule and I can replicate this on F5 using the http iApp easily enough.

 

But also currently in TMG I have a server publishing rule that applies from [anywhere] to [ftp server IP] using the listener IP defined for the FTP service on the external network. In addition this rule has a custom protocol with the port ranges opened for both inbound and outbound connections 21, 989-990, 30000-30300. This is to allow me to configure an FTP client (Filezilla) to use FTPES (explicit/passive) for uploads and downloads and works fine.

 

How though so I configure this second part on my F5 LTM?

 

  • I would try a network forwarding virtual server with an iRule similar to this attached;-

    when CLIENT_ACCEPTED {
       if {!([TCP::local_port] >= 30000 && [TCP::local_port] <= 30300)} {
          reject
       } 
    }
    
    • veato's avatar
      veato
      Icon for Nimbostratus rankNimbostratus
      As I also have a virtual server for 443 traffic to the same server would this iRule intefere with that and reject the 443?
  • Hi,

     

    what are your published services?

     

    • HTTPS
    • FTP

    if I understand your request, you want to allow FTP data connections?

     

    If you define a FTP virtual server with ftp profile, all dynamic tcp connection related will be allowed without any other configuration.

     

    To answer your last comment, if you create a VS with Any port and another with 443 port, port 443 will be handled by HTTPS VS and all other ports by VS Any